During the last weeks, I have worked quite a lot with Thomas Naunheim (@Thomas_live) on the community project, Azure AD Attack, and Defense playbook. This blog post opens up motivation and background for our community-driven project.


Thomas wrote a good blog post about the project motivation and for that reason, I’m not going to duplicate all the same information in my post, you can read it from here.

Nowadays, the protection of identities is an essential part of the security architecture and strategy today. At the times we are living now, the COVID-19 pandemic has changed IT-environments drastically compared to the past. Microsoft statistics show clearly that attack against the cloud environment has increased a lot in COVID-19 times. Some insights were shared during Ignite 2020 by Microsoft.

There are over 80 million identity attacks every single day with 98 percent precision.

 Password Spray type of attacks have increased 230% in this year.

Project – The Playbook

Microsoft has announced earlier this year new detections for “Password Spray Attacks” in August 20220. Together with Thomas, we thought that it would be interesting to understand the differentiation, purpose of use, or interaction of those detection methods.

After many hours of investigation in our labs and very interesting discussions over Teams, the project was published yesterday, 19.11.2020. More information on the project can be found from Thomas tweet & blog posts.

Community-driven project

The results from our first use case are available from the following GitHub repository:


We’ve decided to publish the document as “markdown” in GitHub to allow common use and contributions from others.

We would be very pleased if other community members are also interested in research of further attack/defense scenarios in Azure AD and join us to work on this playbook.

Everyone is invited to contribute in various ways:

  • Update or new content (Pull Request): As already mentioned, we like to have a living document which is driven by the Azure AD community! Share your results and insights as part of the project! Send a pull request to add your content to this project.
  • Issues/Outdated content: Protection features or tools changes continually. Update the out-dated content (as part of pull request) or create an issue to point out
  • Reviewer: We also look for experts who want to review or discuss the existing or new content before publishing!
  • Feedback: Feel free to suggest attack/defense scenarios that could be interesting for the community. We will add them to the backlog and idea collection!

The current content is just a beginning, we hope this project will also grow by others that participate in this initiative.

Hopefully, everyone will have as much fun, valuable insights, and discussions as Thomas and I had during our work on “Password Spray” attacks.


Information about the project

GitHub repo – where you can find the outcome of the project